Assess with Zift
Overview
Before you can govern authorization, you have to find it. In most codebases the authorization logic is not in one place: it is scattered across role checks, permission guards, and middleware, mixed into application code. Zift is the assess product in the EnforceAuth AI Security Fabric. It scans a codebase, finds that embedded authorization, and extracts it to Rego so a Policy Decision Point (OPA or Enterprise OPA) can make the decision instead of the app.
This course teaches how Zift works: the two-pass scan model, extracting findings to Rego, and the externalization percentage, the metric a CISO uses to track how much authorization has moved out of code and under policy control.
Who this is for
Both EnforceAuth customers and open-source OPA users on the Associate track.
Zift is open source (a Rust scanner). You do not run Zift to complete this
course: the graded lab hands you a Zift-extracted policy and you author its
decision rules in Rego, then validate them with opa. The lab requires writing
Rego, so complete OPA & Enterprise OPA Fundamentals
(opa-eopa-fundamentals) first, it covers
default-deny, incremental allow if rules, the in operator, and writing tests
with with input as.
Outcomes
By the end of this course you will be able to:
- Explain why embedded authorization is a security problem and what Zift finds.
- Describe Zift's two-pass model: a structural (tree-sitter) pass and a
--deepLLM-assisted pass. - Read a Zift-extracted Rego policy and reason about the decision it encodes.
- Define the externalization percentage and explain what it tells a CISO.
Lessons
- Embedded authorization and the Authorization Gap
- How Zift scans: the two-pass model
- Extracting findings to Rego
- The externalization percentage
Hands-on lab
This course includes a hands-on lab in lab/. It is a policy Zift
extracted from a document service with its two allow decision rules removed;
you implement them in lab/policy.rego until the test
suite passes. Clone the public labs repo and run:
git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/assess-with-zift -v
The starter reports PASS: 4/8; your target is PASS: 8/8. Keep iterating until opa test is green.
Certification
Counts toward the Associate track. Certification is a machine-graded
practical: you author a policy that the assessment engine runs against a
hidden opa test suite you do not see. This lab is practice for that exam, a short quiz reinforces the concepts, but the
graded bar is your policy passing the hidden suite.